All CMMC efforts should start with a scoping exercise.

Scoping has one key goal: to define your secure enclave. Your enclave defines your CMMC compliance footprint and is ultimately what is subject to assessment by a Certified Third-Party Assessor Organization (C3PAO).

 

Start the Conversation Button

The larger or more complex your enclave, the greater costs you will incur.
Accordingly, we approach scoping with an eye for compliance as well as opportunities to shrink your enclave.


 

en·​clave än-klāv : A set of system resources that operate in the same security
domain and that share the protection of a single, common, continuous security perimeter. – NIST

Prerequisite – Identify Target Maturity Level

Prior to scoping, organizations should already have a target CMMC Maturity Level. Most organizations will start at either:

  • Level 1 – You only handle Federal Contract Information (FCI)
  • Level 2 – You handle Controlled Unclassified Information (CUI) and FCI

Determining your target maturity level is a management decision based upon:

  • Contract Analysis: Whether existing contracts contain DFARS 252.204-7012 or flow down requirements.
  • Discussions: With contracting officers, contracting officer technical representatives, program managers, etc. to determine the type of data.
  • Corporate Strategic Goals: Whether you want to be able to bid on only Level 1 or Level 1 and Level 2 contracts in the future.

We can assist in this process upon request.

Step 1. Identify Assets

Meet with stakeholders, review documentation (network diagrams, data flow diagrams, architecture documents, and more) to identify the assets in your assessment scope.

The CMMC Level 1 and Level 2 Scoping Guides together identify six Asset Categories: FCI Assets, CUI Assets, Security Protection Assets (SPA), Contractor Risk Managed (CRM) Assets, Specialized Assets, and Out-of-Scope Assets.

However, there are other ‘things’ that fall within the assessment scope. Namely people and facilities. For example, CMMC Awareness and Training (AT) practices require security awareness training delivered to people, and Physical Protection (PE) requires security in facilities.

Additionally, some of your assets may involve third parties with their own compliance requirements, such as cloud service providers (CSP) or other external service providers (ESP), like managed IT services.

In this step, we work with your team to identify your in-scope assets and classify them into an appropriate asset type. This is the foundation of the remainder of your scoping exercise.

Step 2. Analyze and Optimize

Work with stakeholders to identify opportunities to minimize your scope.

 

CMMC Assessment Scope Before and After

Step 3. Asset Applicability

Document asset applicability for each CMMC Practice.

Based on what we’ve learned by working with your team, we will document asset applicability conclusions for each in-scope asset for each practice. For any practice that does not apply to a particular practice, we will document the rationale. For example, requirements to escort visitors does not apply to a CUI processing engineering system.

Data Driven Approach

Powered by our CMMC Compliance Tool

All scoping documentation is entered into our internally developed CMMC Compliance Tool – which is yours forever as a benefit of retaining us for any CMMC related service.

Even the simplest organizations will have THOUSANDS of CMMC compliance data points. To attempt to comply in any other than a data driven manner invites waste and error.

The tool is easily maintained in your own environment. It is your security data, and we believe you should have the right to keep it in your environment, forever.

From scoping to the creation of your SSP, the CMMC Compliance Tool tracks thousands of requirements, scoping decisions, and internal assignment of responsibility, evidence location, related status, and more.

Test Drive the CMMC Compliance Tool

Your CMMC Advisors

Scott McAuliffe

Risk Advisory Services Partner

Chris Moschella

Risk Advisory Services Senior Manager

Contact Us


Contact Us